🛡️ Building a Mini Cloud Security Posture Management (CSPM) Lab Using AWS Security Hub + AWS Config

⭐ Why I Built This Project

Instead of studying cloud security concepts in isolation (theory only), I’m using real job descriptions as a roadmap and building hands-on projects that map directly to what employers expect.

This 6-part series focuses on skills frequently requested in cloud security, cloud operations, and security engineering roles, including:

• Identity hardening and MFA enforcement
• IAM governance and access reviews
• Continuous monitoring of cloud resources
• Log analysis, audit readiness, and evidence gathering
• Guardrails at scale using AWS Organizations + Service Control Policies

Each project aims to reflect real-world responsibilities, not just theoretical knowledge.

---

📌 Project Sequence

👉 Part 1 focused on AWS IAM Hardening, tightening identity boundaries and improving authentication hygiene.

👉 Part 2 (this project) expands into Cloud Security Posture Management (CSPM), using AWS Security Hub + AWS Config to detect misconfigurations, enforce security standards, and simulate an enterprise multi-account security architecture.

---

🔐 Why This Progression Matters

Modern cloud security teams approach security in layers:

Identity first → Posture second → Threat detection next.

A hands-on, beginner-friendly guide to setting up Cloud Security Posture Management (CSPM) in AWS, using a real enterprise deployment pattern with AWS Organizations + Delegated Administrator, intentional misconfigurations, CLI exports, troubleshooting, and a final cleanup plan.

---

📘 Table of Contents

1. Overview: What We’re Building
2. Architecture: How CSPM Works in the Real World
3. Prerequisites
4. Step 1: Prepare AWS Organizations
5. Step 2: Create & Access the Delegated Admin Account
6. Step 3: Enable AWS Config Across the Org
7. Step 4: Enable AWS Security Hub CSPM
8. Step 5: Validate CSPM Is Working
9. Step 6: Create Intentional Misconfigurations
10. Step 7: View & Export Findings
11. Troubleshooting (Real Errors I Hit & Fixes)
12. What Not To Do in Production (But OK in This Lab)
13. Cleanup Steps
14. Final Thoughts

---

1️⃣ Overview: What We’re Building

In this lab you’ll build a mini CSPM using:

• AWS Security Hub CSPM
• AWS Config
• AWS Organizations with a Delegated Administrator

You will:

• Stand up a realistic enterprise-style architecture (management account + security account).
• Create intentional misconfigurations (like a public S3 bucket and open security group).
• Let Security Hub CSPM detect them.
• Export findings with the AWS CLI / CloudShell.
• Practice remediation and then clean everything up to control cost.

---

2️⃣ Architecture: How CSPM Works in the Real World

In production, CSPM rarely runs from the same account that owns workloads.

Instead, you usually see:

• Management Account

  • Owns AWS Organizations
  • Enables services like Security Hub + Config at the org level
  • Assigns a delegated administrator

• Delegated Admin Account (Security / Audit account)

  • Runs Security Hub CSPM
  • Aggregates findings from all member accounts
  • Sees the overall security posture
  • Drives remediation across the org

That’s exactly the pattern we’ll follow here.

---

3️⃣ Prerequisites

You’ll need:

• An AWS Organization already created (or permission to create one).
• Permission to create a new member account.
• Basic understanding of:
  • IAM users / roles
  • S3 buckets
  • EC2 security groups
• Either:
  • AWS CloudShell (recommended), or
  • AWS CLI installed on your machine.

This lab assumes a personal / sandbox environment, not production.

---

4️⃣ Step 1: Prepare AWS Organizations

1. In the management account, open AWS Organizations.
2. If Organizations is not enabled, enable it.
3. (Optional but nice) Create a simple structure:

   Root
    └── Security OU
         └── cspm-admin-account

We’ll put our delegated admin account in the Security OU later.

---

5️⃣ Step 2: Create & Access the Delegated Admin Account

5.1 Create a new member account

From the management account:

1. Go to Organizations → Accounts → Add an AWS account → Create an AWS account.
2. Example values:

   Account name: cspm-admin-account
   Email: yourname+securityhub@example.com

1. Place it into your Security OU if you created one.

This new account will become the Security Hub delegated administrator.

---

5.2 Assign the delegated administrator

Still in the management account:

1. Open Security Hub.
2. Go to Settings → Accounts.
3. Choose Designate a delegated administrator.
4. Select the cspm-admin-account.

Security Hub will now treat that account as the org-wide CSPM brain.

---

5.3 Switch role into the delegated admin account

You normally don’t log into member accounts directly as root.

Instead, use Switch Role.

1. Log in to the management account as an IAM admin user (not root).
2. In the top-right, choose your username → Switch role.

3. Enter:

   • Account ID: of cspm-admin-account
   • Role:

    OrganizationAccountAccessRole
   

4. Optionally give the role a display name and a color (e.g., CSPM-Admin in blue).

You are now operating inside the delegated admin account with full admin rights.

---

6️⃣ Step 3: Enable AWS Config Across the Org

AWS Config records configuration history and feeds data to Security Hub.

In the management account:

1. Go to AWS Config → Settings / Get started.
2. Resource recording:
   • Choose Record all resources supported in this region.
3. S3 bucket for configuration history & snapshots:
   • Create or choose a bucket (defaults are fine for this lab):
     • ACLs disabled
     • Versioning off
     • SSE-S3 encryption on
     • Bucket Key enabled
4. Skip SNS notifications to avoid alert noise for the project.
5. Save your settings and make sure recording is ON.

💡 In a larger environment you might scope to specific resource types for cost, but for a mini CSPM lab recording all resources gives you a more realistic feel.

---

7️⃣ Step 4: Enable AWS Security Hub CSPM

Still in the management account:

1. Open Security Hub.
2. Choose Get started → Configure Security Hub CSPM.
3. You’ll be asked for:
   • Home Region (choose the region you’ll mainly work in).
   • AWS Account Number (enter the management account’s 12‑digit ID).
4. Accept the prompt to create/update the delegation policy.

Once enabled, Security Hub CSPM will automatically turn on:

• AWS Foundational Security Best Practices v1.0.0
• CIS AWS Foundations Benchmark v1.2.0

You now have an org-level CSPM engine, with cspm-admin-account as the delegated administrator.

---

8️⃣ Step 5: Validate CSPM Is Working (Delegated Admin View)

Switch role back into the cspm-admin-account (delegated admin).

Open Security Hub and check:

• Dashboard – You should see:

  • Number of controls
  • Findings over time
  • A breakdown of threats / exposure / resources

• Security standards – Confirm:

  • AWS Foundational Security Best Practices v1.0.0 is Enabled.
  • CIS AWS Foundations Benchmark v1.2.0 is Enabled.

• Settings → Accounts – Should say:

  • “This account is the delegated administrator for your organization.”

If all of that looks good, CSPM is officially online. 🎉

---

9️⃣ Step 6: Create Intentional Misconfigurations

Now the fun part: we’ll create a few misconfigurations on purpose in the delegated admin account so Security Hub can yell at us.

⚠️ Do this only in a sandbox environment.

Never create intentional vulnerabilities in production.

---

9.1 Misconfig #1 – Public S3 bucket

1. In S3, choose Create bucket.
2. Name it something like: cspm-test-bucket-001.
3. Region: same as your Security Hub home region.
4. In Block Public Access settings for this bucket:
   • Uncheck Block all public access.
   • Acknowledge the scary warning.
5. (Optional but loud) Add a bucket policy that allows public reads.

Security Hub should eventually trigger a finding similar to:

“Amazon S3 Block Public Access was disabled for the S3 bucket cspm-test-bucket-001.”

You can even add a comment in the finding like:

Will triage and disable public access.

---

9.2 Misconfig #2 – Open security group

1. Go to EC2 → Security Groups → Create security group.
2. Name: cspm-open-ssh-test.
3. Inbound rule:
   • Type: SSH
   • Port: 22
   • Source: 0.0.0.0/0 (anywhere)
4. Save.

Security Hub will flag this with an EC2-related control (e.g., “Security groups should not allow unrestricted SSH access”).

---

9.3 Misconfig #3 – Root account use (already flagged)

If you’ve logged in or used the root account recently, Security Hub may already show findings like:

• “The API ConsoleLogin was invoked using root credentials.”
• “The API DescribeRegions was invoked using root credentials.”

These are a great example of how CSPM watches for bad identity hygiene, not just network or S3 misconfigurations.

---

🔟 Step 7: View & Export Findings

10.1 View findings in the console

In the delegated admin account:

1. Security Hub → Findings
2. Use filters such as:
   • Product name: Security Hub
   • Severity label: LOW, MEDIUM, or HIGH
3. Click on a finding for details:
   • Title & Description
   • Resource (e.g., S3 bucket ARN)
   • Severity
   • Remediation (often linked AWS docs)
   • Notes / Comments (you can add your own)

The Dashboard also gives you a nice view of:

• Threats
• Exposure
• Number of resources
• Findings by Region and severity breakdown

Example Snippets:

---

10.2 Export findings with AWS CLI (CloudShell)

For this project, we’ll use AWS CloudShell so we don’t have to store credentials locally.

1. While still in the delegated admin account, open CloudShell from the console.
2. Verify your identity:

   aws sts get-caller-identity

1. Export findings to a JSON file:

   aws securityhub get-findings      --region us-east-1      --output json > securityhub-findings.json

1. List the file:

   ls -l securityhub-findings.json

---

10.3 Small JSON example

Here’s a safe, shortened snippet similar to what you’ll see:

{
  "Findings": [
    {
      "Title": "Amazon S3 Block Public Access was disabled",
      "Description": "Block Public Access settings were disabled for bucket cspm-test-bucket-001.",
      "Severity": { "Label": "LOW" },
      "Resources": [
        {
          "Id": "arn:aws:s3:::cspm-test-bucket-001",
          "Type": "AwsS3Bucket"
        }
      ]
    }
  ]
}

In a real environment, this JSON could be fed into SIEMs, dashboards, or automation workflows.

---

1️⃣1️⃣ Troubleshooting (Real Errors I Hit & Fixes)

I ran into several very real-world errors while building this.

Here’s what they meant and how they were resolved.

---

🔧 “The delegated administration for SecurityHub CSPM was not fully configured…”

Variations included:

• “…is already a member under another account for these regions…”
• “You specified an account that doesn't exist…”

Cause:

Old Security Hub Org configuration or delegated admin metadata existed from a previous project.

Fix:

From the management account:

• Remove any existing delegated admin for Security Hub.
• Disable trusted access for Security Hub under Organizations → Services.
• Re-run the CSPM setup wizard and assign the new cspm-admin-account as delegated admin.

---

🔧 “You cannot register the management account as delegated administrator”

Cause:

By design, the management account cannot also be the delegated admin for CSPM.

Fix:

• Create a separate member account (cspm-admin-account).
• Use that as the delegated admin.

Lesson: this project accidentally forced me into the correct enterprise pattern. 😄

---

🔧 CLI error: explicit deny in a Service Control Policy (SCP)

Example:

AccessDeniedException: ... not authorized to perform: securityhub:GetFindings ...
with an explicit deny in a service control policy

Cause:

An SCP attached at the Root or OU level explicitly denied Security Hub actions, even though my IAM user had permissions.

Fix:

From the management account:

• Review SCPs attached to the OU / account.

• Either:

  • Remove the restrictive SCP from the delegated admin account, or
  • Add an exception:

  "Condition": {
    "StringNotEquals": {
      "aws:PrincipalAccount": "DELEGATED_ADMIN_ACCOUNT_ID"
    }
  }
  

Lesson: SCPs override IAM. If an SCP says “no,” nothing else can say “yes.”

---

🔧 “Switch role” option missing

Cause:

I was logged in as the root user, which doesn’t get the Switch Role option.

Fix:

• Create an IAM admin user in the management account.
• Log in as that IAM user instead.
• The Switch role menu appears in the top-right.

---

1️⃣2️⃣ What Not To Do in Production (But OK in This Lab)

I intentionally bent a few rules to keep this lab simple.

They’re fine here, but you should not copy them into a real environment.

---

❌ Long-lived access keys for a CSPM admin user

For testing the CLI, I created an IAM user and access key.

In production you should instead:

• Use AWS IAM Identity Center (SSO)
• Or use STS AssumeRole with short-lived credentials
• Or stick to CloudShell, which gives you ephemeral credentials bound to your console role.

---

❌ Creating misconfigurations directly in the security account

In enterprises, the delegated admin account is often locked down and doesn’t host workloads.

For learning, it was convenient to create test S3 buckets and security groups there.

In production, do this kind of testing in separate test accounts.

---

❌ Disabling S3 Block Public Access

We temporarily disabled this to generate findings.

In real environments, you usually want:

• Account-level Block Public Access ON
• Bucket-level Block Public Access ON
• Tight bucket policies and IAM least privilege

---

1️⃣3️⃣ Cleanup Steps

To avoid surprise bills and leave your org clean, run through these steps when you’re done.

---

13.1 Disable Security Hub CSPM (delegated admin account)

1. In cspm-admin-account, go to Security Hub.
2. Under Security standards, disable each enabled standard (FSBP, CIS).
3. In Settings, disable Security Hub entirely for that region.

---

13.2 Disable Security Hub Org integration (management account)

1. In the management account, open AWS Organizations → Services.
2. Select Security Hub.
3. Choose Disable trusted access.

Optionally also remove cspm-admin-account as the delegated admin for Security Hub.

---

13.3 Stop AWS Config recording

1. In the management account, open AWS Config.
2. Go to Settings.
3. Stop the configuration recorder.

If you created any extra Config rules just for the lab, delete those as well.

---

13.4 Clean up S3 buckets

In S3:

• Empty and delete:
  • The Config logs bucket (if you created a dedicated one).
  • The test misconfig bucket (cspm-test-bucket-001, etc.).

---

13.5 Remove test security groups

In EC2:

• Delete cspm-open-ssh-test and any other lab-only security groups.

---

13.6 Remove IAM test users & access keys

In the delegated admin account:

• Delete any lab-only IAM users (for example cspm-cli-access).
• Delete any associated access keys.

This is important so old credentials don’t linger.

---

13.7 (Optional) Remove delegated admin assignment

If this was purely a one-off lab:

• In the management account, open Security Hub → Settings → Accounts.
• Remove cspm-admin-account as the delegated administrator.

You can keep the account for future security experiments, or close it if you want to minimize cost and clutter.

---

1️⃣4️⃣ Final Thoughts

By the end of this lab you’ve:

• Built a mini CSPM using AWS-native tools.
• Followed a real enterprise pattern with a management account and delegated admin.
• Enabled AWS Config and Security Hub CSPM at the org level.
• Created and fixed intentional misconfigurations.
• Exported findings via the AWS CLI / CloudShell.
• Navigated SCPs, delegated admin errors, and role switching.
• Cleaned up resources to keep your bill (and attack surface) low.

From here, great next steps would be:

• Adding auto-remediation with Lambda or Systems Manager Automation.
• Forwarding findings to a SIEM or logging platform.
• Combining this with GuardDuty, IAM Access Analyzer, and Config Conformance Packs.

---

🤝 Connect

If you build on this and share your own twist, tag me; I’d love to see how your CSPM lab evolves. 🚀

💬 Feel free to reach out or follow my journey on 👉 LinkedIn